NIST SP 800-171 and CMMC

U.S. government contracts now include clauses that require contractors and subcontractors (at all tiers) to provide “adequate security” to safeguard certain types of government information the resides in or transits their internal systems by including the following Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) contract clauses:

FAR clause 52.204-21 Basic Safeguarding of Covered Information Systems (June 2016). Requires compliance upon award with “basic safeguarding” of covered contractor information systems with  “federal contract information.” 

DFARS clause 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised December 28, 2017). 

DFARS clause 239.76 Cloud Computing.

DFARS clause 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls (October 2016). Requires that the Offeror represent that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

DFARS clause 252.204-7009  Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information. 

​DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016). Requires contractors to provide adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Requires implementation as soon as practicable, but no later than December 31, 2017, of  NIST SP 800-171, which includes cyber security controls for internal systems with “covered defense information” (CDI). There are 110 security controls selected from 14 control families in NIST SP 800-53 (as of Revision 4, NIST SP 800-53 has 18 control families and an additional 8 if the Privacy Overlay is applied). To have implemented NIST SP 800-171 for purposes of this DFARS clause, companies must have performed a self-assessment of their covered systems, completed a System Security Plan (SSP) and, as applicable, a Plan of Actions and Milestones (POA&M). Contractors must notify the DoD CIO of which controls are not compliant within 30 days of contract award.

DFARS clause 252.204-7019 (concerns self-assessment)

DFARS clause 252.204-7020

DFARS Clause 252.204-7021. Cybersecurity Maturity Model Certification Requirements (November 2020). Requires the contractor to have a current (not older than 3 years) CMMC certificate at the CMMC level required by the contract and maintain the CMMC certificate at the required level for the duration of the contract. The prime contractor must include this clause in subcontracts.

NIST published guidance in June 2018 for the assessment of the security controls discussed in NIST SP 800-171, see NIST SP 800-171A, "Assessing Security Requirements for Controlled Unclassified Information." Currently, compliance is achieved by the contractor or hired outside party performing a self-assessment; the government does not currently have an assessment process in place to formally grant authorization for contractor information systems (e.g. ATO). Per Implementation of DFARS Clause 254.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, September 21, 2017: 
Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.
In November 2018, DoD OSD published the following Memorandum:  Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The memorandum references the following two documents for reviewing and assessing contractor compliance with NIST SP 800-171:

• DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented. According to the memorandum, this document will assist acquisition personnel in the following ways:
• Enable the consistent review of System Security Plans and Plans of Action & Milestones
• Address the impact of ‘not yet implemented’ security requirements
• Provide clarification on implementing NIST SP 800-171 security requirements
• Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System. The government can require additional cybersecurity requirements above and beyond NIST SP 800-171 by including a Statement of Work (SOW) referencing a DoD approved list of enhanced security requirements in Section C of a solicitation. Section L will require the contractor to describe their implementation of additional cybersecurity requirements which will be evaluated according to the criteria described in Section M. Delivery of the following documentation may be required per Section L with detail on how evaluation of compliance of NIST SP 800-171 will be conducted and requirements for an “Acceptable” (Go/No Go threshold) identified in Section M:
• Contractor’s System Security Plan (or extracts thereof) and POA&M
• Conduct on-site government assessment of each Offeror’s internal unclassified information system in accordance with Section M and NIST SP 800-171A
• Identify known Tier 1 Level Suppliers and request contractor’s plan to: i) track flow  down of covered defense information, and ii) assess DFARS Clause 252.204-7012 compliance of known Tier 1 Level Suppliers
• Identify DoD controlled unclassified information requiring protection in accordance with DFARS Clause 252.204-7012 and NIST SP 800-171

On January 21, 2019, Ellen Lord, the Undersecretary of Defense for Acquisition and Sustainment, issued a memorandum "Addressing Cybersecurity Oversight as Part of a Contractor's Purchasing System Review." She asks Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor's purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

• Review contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 level suppliers.
• Review contractor procedures to assess compliance of their Tier 1 level suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

The NIST SP 800-171B, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Enhanced Security Requirements for Critical Programs and High Value Assets," was released for public comment. Comments are due July 19, 2019.   

NIST SP 800-171B is a draft document offering additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure.  When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)).  The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171.  The enhanced security requirements will only be applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

NIST also posted a draft NIST SP 800-171 Revision 2.  This update provides minor editorial changes in Chapter One, Chapter Two, and the Glossary, Acronyms, and list of References.  There are no changes to the basic and derived security requirements.  The public comment period for this document is also June 19 to July 19, 2019.

The draft documents are posted on DIBNet-U and also at: https://csrc.nist.gov/publications/detail/sp/800-171b/draft and https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft.

Highlights:

• Controls are selected from the Moderate baseline in NIST SP 800-53 to address Confidentiality (Integrity and Availability are omitted). 14 control families (out of 18) from NIST SP 800-53:  Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Audit (CA), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Personnel Security (PS), Risk Assessment (RA), System and Communications Protection (SC), System and Information Integrity (SI). The Contingency Planning (CP), Planning (PL), System and Services Acquisition (SA), and Program Management (PM), control families and Privacy overlay are not included due to the tailoring criteria.  Requirements are specified in NIST SP 800-171 Chapter 3; although the requirements are separated by family as defined by NIST SP 800-53, the NIST SP 80-53 controls and control enhancements are not used/do not apply. A mapping of the NIST SP 800-171 Basic Security Requirements to NIST SP 800-53 relevant security controls is provided in Appendix D for informational purposes only.
• The security requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components
• Incidents on contractor network(s) must be reported to the DoD within 72 hours.
• What is the definition of an incident? An incident versus compromise/breach must be defined. Contractor should develop Incident Response Plan (IRP). IRP needs to define the format of the report being sent to DoD, recipient(s), delivery mechanism (e.g. upload to a web site, encrypted email). Is participation in the DoD Defense Industrial Base (DIB) Cybersecurity (CS) program required?
• Appendix E provides the specific tailoring criteria for eliminating a requirement from the Moderate baseline. The requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are:
• uniquely federal (i.e., primarily the responsibility of the federal government);
• not directly related to protecting the confidentiality of CUI;  or
• expected to be routinely satisfied by nonfederal organizations without specification.
• The Government can require delivery of the contractor's SSP (or extracts thereof).
• Organizations that have implemented or plan to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity can find in Appendix D of this publication, a direct mapping of the Controlled Unclassified Information (CUI) security requirements to the security controls in NIST Special Publication 800-53 and ISO/IEC 27001. These controls are also mapped to the specific Categories and Subcategories associated with Cybersecurity Framework Core Functions: Identify, Protect, Detect, Respond, and Recover. 
• Mapping NIST Special Publication 800-53 security controls to the Cybersecurity Framework: https://www.nist.gov/file/372651.
• Mapping NIST Special Publication 800-171 requirements to the Cybersecurity Framework: https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final.
• Compliance is assessed in accordance with NIST SP 800-171A. The assessment methods are to:
•  Examine policy documents, procedures, test results, and other relevant documents or records
• Interview personnel with relevant responsibilities for implementing or testing the control
• Test mechanisms and processes associated with the control.
• Beginning in January 2020, DoD expects to start assessing contractor compliance using a 5-level Cybersecurity Maturity Model Certification (CMMC).

Key Concerns:

• Requires the contractor to identify Tier 1 Level suppliers
• Requires the contractor to provide a plan to track the flow of CDI and access the compliance of known Tier 1 Level suppliers
• A standard for the data content and format to be used in NIST SP 800-171 System Security Plans (DI-MGMT-82247). Note that NIST SP 800-18, "Guide for Developing Security Plans for Federal Information Systems," February 2006, provides an SSP Template in Appendix A:  Sample Information System Security Plan Template.
• Adding cybersecurity measures on top of those found in NIST SP 800-171
• Creating an “Acceptable” (Go/No Go threshold) rating, which may require certain “must-have” NIST 800-171 requirements to be in place before an award can be made.
• Incorporate 800-171 compliance as a technical evaluation factor, which often becomes part of the weighted score for contract awards
• Conducting on-site assessments, using NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
• Requiring a contractor to complete a new form titled: ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information’
• Requesting a contractor’s plan to track flow down of covered defense information
• Requesting a contractor’s plan to assess the compliance of their own suppliers
• Develop a Data Classification Guide to identify the CUI and any other information types requiring special handling and protection (e.g. NDA, TA, proposals, pricing data, company proprietary technical data, etc.). Supporting Data Handling Guidelines should state the data lifecycle (Create, Store, Use, Share, Archive, Destroy) and describe how CUI is handled and protected. These guidelines should be communicated to all users in the boundary as part of onboarding training and at least annually thereafter.
• Identify where CDI is received, processed, stored, displayed, or transmitted. This includes servers, desktops, laptops, mobile devices, storage systems, networking equipment. Is it possible for the contractor to limit where CDI resides within their network? If so, then scope of application of security controls can be reduced, effectively reducing the time and effort required to achieve compliance.
• Identify CDI data flows.
• Implement data loss prevention (DLP) solution to control the flow of CDI.
• Provide a mechanism (e.g. encryption) for secure storage and dissemination of CDI.
• Implement multi-factor authentication (MFA).
• Identify different account types:  user, privileged, system, and policies associated with creating, terminating, and authenticating them. 
• Document authorized connections.
• Document storage (digital and media) policies including locations, retention, and destruction.
• Implement an endpoint management solution (e.g. require devices to be authorized for network connection, identify rogue devices, assess health of connected devices).
• Implement a audit log collection and analysis solution.
• ​Develop an Incident Response Plan (IRP) and address the DoD reporting requirement.

Recommended/Required Documentation:
Note that in cases where NIST SP 800-171A requires examination of policies and procedures, the recommended approach is to write a policy document for each control family and include as appendices the specific procedures required to implement the policy.

• System Security Plan (SSP). NIST SP 800-171 Security Requirement 3.12.4 (System Security Plan) — Requires contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. See Data Item Description (DID) Contractor’s Systems Security Plan and Associated Plans of Action to Implement NIST SP 800-171 on a Contractor’s Internal Unclassified Information System, DI-MGMT-82247 contained in Tab 1 and 2 within GUIDANCE FOR ASSESSING COMPLIANCE OF AND ENHANCING PROTECTIONS FOR A CONTRACTOR’S INTERNAL UNCLASSIFIED INFORMATION SYSTEM. There is no prescribed format or specified level of detail for how that information is conveyed. There is no requirement for the government to approve the system security plan or any associated plans of action for the Contractor’s internal unclassified information system, but the government may request that the Contractor submit the system security plan (or extracts thereof), and any associated plans of action, such that the government may review the Contractor’s implementation of security requirements.
• Network Topology Diagram
• Data Flow Diagram
• Accreditation Boundary Diagram
• Description of the operational environment
• Relationships with or connections to other systems
• Hardware/software/firmware List
• Plan of Action and Milestones (POA&M). NIST SP 800-171 Security Requirement 3.12.2 (Plans of Action) — Requires contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
• Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information. This document may be required as a Contract Data Requirement List (CDRL) in Section J of a contract solicitation or award. See How to Meet New DoD Requirements for Managing Suppliers’ NIST 800-171 Compliance for guidance on how to prepare this document. See Data Item Description (DID) Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information, DI-MGMT-XXXXX contained in Tab 3 and 4 within GUIDANCE FOR ASSESSING COMPLIANCE OF AND ENHANCING PROTECTIONS FOR A CONTRACTOR’S INTERNAL UNCLASSIFIED INFORMATION SYSTEM.
• Document identifying DoD controlled unclassified information requiring protection in accordance with  DFARS Clause 252.204-7012 and NIST SP 800-171.
• Access Control Policy. Required per AC security control family. Describe how access to systems is limited to authorized users. Describe who has access to CDI and how that access is limited and controlled. Describe the roles used in the organization (e.g. user, admin, developer, guest), assignment of least privilege, separation of privileged accounts accounts (e.g. .SA, .NA, .DBA, etc.), limitations on service accounts (e.g. no interactive login, logon restricted to specific systems), limitations on shared accounts, how accounts are requested (e.g. form, training or certification requirements, briefing acknowledgement(s)) and approvals), and other applicable account management procedures. Describe the use of warning banners, controlling remote access, account lockout threshold, session locks and timeouts, mobile device connection rules (including encrypting data-at-rest and in transit), removable storage media (e.g. external hard drives, flash drives) rules such as whitelisting, public-facing web site policy (e.g. public affairs officer must approve content).
• Security Awareness and Training Policy and Materials. Requires establishing training and/or certification requirements for IT and IA\cybersecurity staff (e.g. DoDD 8140/8570.01-M) and also providing awareness of the security risks associated with the any user's activities. Identify company policies, standards, and procedures and provide training for awareness, understanding, and compliance. Insider Threat Program as required by NISPOM may be usable. Required per AT security control family.
• Auditing and Accountability Policy. Establish policy for creation, protection, retention, and review of system logs. Describe mechanism to collect and review logs. Require use of named accounts (e.g. no Administrator, root other than system setup). Eliminate or restrict use of shared accounts. Control service accounts (i.e. do not allow interactive login, restrict permissions and rights including scope). Define audit log retention policy and ensure it is supported by backup implementation. Define log sources and delivery mechanism(s) (e.g. syslog, SNMP TRAP, Splunk Universal Forwarder). Define responsibility and frequency for reviewing logs. Define alerts (e.g. failed login, failed object access, account lockout, account expired, etc.). Define authoritative clock source and synchronization method. Separate Auditor function from Administrator function. Required per AU security control family.
• Configuration Management Policy. Document network and services infrastructure (e.g. hardware//software/firmware list) and change procedure. Need to establish and enforce security settings - DISA IASE STIGs and SRGs are an example that can be used, but not required; another option is the Center for Internet Security (CIS) Benchmarks. Changes to organizational systems must be tracked, reviewed, approved/disapproved, and logged. Provide security impact analysis (look for example, such as FedRAMP template) for proposed changes. Disable or do not install unnecessary services, features, or applications. Restrict firewall rules to only necessary inbound and outbound ports, protocols and services (PPS); review the risk associated with firewall exceptions against the DISA Category Assurance List (CAL). Maintain whitelist and blacklist or approved and unapproved software. Required per CM security control family.
• Identity and Access Management (IdAM or IAM) Policy for identifying and authenticating the information system users and devices. Required per the IA security control family. Describe realms (e.g. private Active Directory, Azure Active Directory) and authentication/verification methods for accessing resources. Describe multifactor authentication (MFA) implementation(s). Describe policies for password complexity, length, re-use, and age. Describe procedures for establishing and terminating accounts. Describe method(s) to distribute initial user passwords.
• Incident Response Plan (IRP). Required per the IR security control family. Describe preparation, detection, analysis, containment, recovery, and user response activities concerning incidents. Describes how anomalies are detected and severity of incidents and threshold for when a compromise is declared and reported to DoD Cyber Crime Center (DC3) within 72 hours. May require participation in the Defense Industrial Base (DIB) Cybersecurity Information Sharing Program (CIS). May require Contingency Planning Policy although the NIST SP 800-53 CP family of controls are not included in NIST SP 800-171 requirements. Define period for testing plan (no less than annually) and document test results.
• Maintenance Policy and Procedures. Describes how periodic maintenance is performed, including application of updates and patches. Identify repositories for vendor updates and notifications (e.g. mailing lists). May include patch management plan. Describe method of sanitization of equipment sent off-site for repair. Inspect media (e.g. malware scan) before using in organizational systems. Describe escort procedures for personnel not authorized for access to facilities and systems. Describe corrective/repair maintenance, compliance maintenance, and preventive maintenance (e.g. checking storage utilization and provisioning additional storage and/or archiving files). Required per the MA security control family.
• Media Protection Policy and Procedures. Describe protection, sanatization, and destruction of media containing CUI. Required per the MP security control family. Describes how media containing CUI (both digital and paper) should be marked and protected from unauthorized users and how media containing CUI should be handled for disposal (e.g. destruction) or release (santiziation) for reuse. Also needs to cover protection of CUI when stored in backups in storage locations. Describe mechanism for inventorying CUI help by the organization (e.g. media custodian). Describe rules for transporting CUI outside of controlled areas and encryption when stored on removable storage media (e.g. BitLocker To Go, Encryption Wizard).
• Personnel Security Policy. Required per the PS security control family. Describes how users should be screened prior to granting access to information systems containing CUI, and how systems should be protected during personnel changes such as terminations or transfers.
• Physical and Environmental Protection Policy. Required per the PE security control family. Describes how physical access to data centers, information systems and storage systems containing CUI should be limited to authorized users.  Require escorts and maintain audit logs of access and control and mange access to physical devices.
• Risk Assessment Policy. Required per the RA security control family. Describes operational risks associated with processing, storing, or transmitting CUI and how they should be periodically assessed (see NIST SP 800-30 for guidance). Scan for vulnerabilities using Security content Automated Protocol (SCAP)-validated scanning tools (e.g. Nessus, SPAWAR SCAP Compliance Checker (SCC)) and remediate vulnerabilities.
• Security Assessment and Authorization Policy and Security Planning Policy. Required per the SA security control family. Define the policy for assessing, monitoring, and correcting deficiencies and reducing or eliminating vulnerabilities in information systems. Describes how to assess the effectiveness of security controls on an on-going basis and how to address inefficiencies to limit vulnerabilities. Describe how the System Security Plan (SSP)  and Plan of Action and Milestones (POA&M) are maintained. This can mean periodically reviewing and updating the SSP and performing a self-assessment. May require a Continues Monitoring Plan which defines reports, dashboards, etc. which demonstration ongoing compliance.
• Systems and Communications Protection Policy. Define how to monitor, control, and protect data at the boundaries of the system, and employ architectural designs, software development techniques and system engineering principles the promote effective information security. Required per the SI security control family. Describes the use of secure design, development, and engineering principles to promote effective security within information systems. Also describes how to monitor, control, and protect information transmitted or received by organizational information systems. For example, using a guest network for wireless systems, or DMZ for Internet-accessible systems, implementing a default deny firewall rule, placing VoIP and VTC equipment in a separate VLAN from users/workstations and servers, use of encryption for data at rest and in transit. May also require Mobile Code Implementation Policy.
• System and Information Integrity Policy. Required per the SI security control family. Describes process for identifying, reporting, and correcting information system flaws and vulnerabilities in a timely manner. Define and describe security architecture such as DMZ and other intranet zones which separate traffic, firewall rules, VPN rules (e.g. no split-tunneling). Describe protection mechanisms for remote activation of collaborative computing devices (e.g. cameras, microphones). Define mobile code policy and describe mechanism(s) to control and monitor it. This is more concerned with boundary defense and passive scanning than active vulnerability scanning. Identify sources of security alerts to be monitored (e.g. vendor sites, USCYBERCOM IAVM, US CERT, etc.). May also include Continuous Monitoring Strategy.

Tools and Templates

• Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Cybersecurity Evaluation Toolset (CSET). The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. CSET may be useful in developing and maintain an SSP, similar to what eMASS and Xacta do for DoD and Intelligence Community (IC) entities. The tool provides a template for NIST SP 800-171.
• Defense Industrial Base Cybersecurity (DIB CS) Program. Membership provides access to tools, tips, and reports delivered via encrypted email as well as a collaboration portal. A medium-assurance hardware token (e.g. CAC, ECA) is required.
• Procurement Technical Assistance Program (PTAP). The DoD is leveraging the PTAP to provide information addressing implementation of DFARS Clause 252.204-7012. Administered by the Defense Logistics Agency, the PTAP provides matching funds through cooperative agreements with state and local governments and non-profit organizations for the establishment of Procurement Technical Assistance Centers (PTACs). These centers, many of which are affiliated with Small Business Development Centers and other small business programs, form a nationwide network of  counselors who are experienced in government contracting. The Department has provided the PTACs with information for small businesses who seek their assistance on the implementation of its cybersecurity regulations.
• Thycotic Customizable Cyber Security Incident Response Plan Template
• Thycotic Privileged Account Discovery Tool for Windows
• NIST Manufacturing Extension Partnership (MEP). MEP is a nationwide system with centers located in every state. MEP centers are non-profit organization that partner with the Federal government to offer products and services that meet the specific needs of their local manufacturers.
• DoD Procurement Toolbox. DoD posts all related regulations, policy, frequently asked questions (FAQ), and resources addressing DFARS Subpart 204.73 and PGI Subpart 204.73 and DFARS Subpart 239.76 and PGI Subpart 239.76 under the Cybersecurity tab.
• CUI Registry. The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Among other information, the CUI Registry identifies approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information. 
• I-Assure RMF Templates. The plan and policy templates are developed for NIST SP 800-53 but can be applied towards NIST SP 800-171 requirements.
• NIST SP  800-53 Rev 4. number of controls and enhancements per Low, Moderate, and High baselines. 

Outside Services to Assist with Compliance:

• Conserva:  The Definitive Guide to Compliance with the NIST SP 800-171 Mandate. The requirements for NIST 800-171 can be summarized into four main groups:  Controls – Data management controls and processes, Monitoring & management – Real time monitoring/management of defined IT systems, End user practices – Documented, well defined end user practices and procedures, Security measures – Implementation of defined security measures. The assessment should consist of three phases:  Business process review, Technical assessment of systems and networks, Data analysis. Corserva states that based on experience each phase takes 20-30 days with most engagements (depending on the size of the organization and the technology utilized).
• Tripwire:  Closing the Integrity Gap with NIST's Cybersecurity Framework.
• CyberSaint CyberStrong Platform.

What We Expect from External Auditors:

Focus on the following major security program components:

• Multifactor authentication (MFA)
• Strong password policies
• Identifying and mitigating vulnerabilities
• Documenting and tracking cybersecurity incidents

Risks of Non-Compliance:

• Termination. Failure to provide an SSP and POA&M.
• CDMA Audit.
• False Claims Act violation. If your SSP or POA&M is not accurate and thus misrepresents your cybersecrity status, the DoD may take action based on fraud.

To-Do!

• Update this blog entry based on information gathered at DoDIIS Worldwide August 18 - 21, 2019. 
• Create MS Project schedule to plan PSI's path towards compliance and achieving level 3 or better CMMC certification.

Terms:

DFARS Subpart 204.73 - Safeguarding Covered Defense Information and Cyber Incident Reporting 204.7301 Definitions defines the following terms:

"Adequate security" means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
"Contractor attributional/proprietary information" means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. 

"Controlled Technical Information" means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. 

"Covered contractor information system" means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. 

"Covered defense information (CDI)" means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is

• (1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract;

• (2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

• DFARS clause 252.204-7012 defines CDI to include four different categories:  (1) covered technical information (CTI) (e.g. military technical specifications), (2) operations security, (3) export controlled information, and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-side policies ('catch all' for privacy or proprietary business information). CDI may either be provided to the contractor by or on behalf of DoD in connection with the performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

"Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 

"Media" means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system. 

"Rapidly report" means within 72 hours of discovery of any cyber incident. 

"Technical information" means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Other definitions:

Federal Information System. NIST SP 800-171 Rev 1 defines a federal information system as a system that is used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. A system that does not meet such criteria is a nonfederal system.

Controlled Unclassified Information (CUI). Title 32 - National Defense, Volume 6, Chapter XX - Information Security Oversight Office, National Archives and Records Administration, Part 2002 - CONTROLLED UNCLASSIFIED INFORMATION (CUI), Subpart 2002.4 defines CUI as:(h) Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-erexecutive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the  information CUI. Established by Executive Order 13556, November 4, 2010, CUI is unclassified information that the U.S. government has deemed necessary to safeguard, since it directly impacts the government's ability to carry out its designated missions and business operations. CUI is sensitive information that often impacts privacy and safety, contains proprietary business interests (e.g. contracts, reports, etc.), or is critical to law enforcement investigations. Executive Order 13556, "Controlled Unclassified Information," November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program. Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or governmentwide policy may be designated as CUI. Per NIST SP 800-171, Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, "Classified National Security Information," December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Further Reading:

• https://www.cybersaint.io/the-definitive-guide-to-dfars-compliance-and-nist-sp-800-171
• https://www.lockheedmartin.com/en-us/suppliers/cybersecurity.html

​​​​​​​References:

• US Government Accountability Office (GAO) Report:  Agencies Need to Fully Establish Risk Management Programs and Address Challenges, GAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.
• DoD, Acquisition and Sustainment Memorandum:  Addressing Cybersecurity Requirements as Part of a Contractor's Purchasing System Review, January 21, 2019
• Mass Modifications to Implement DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, December 15, 2018
• DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented, November 6, 2018
• GUIDANCE FOR ASSESSING COMPLIANCE OF AND ENHANCING PROTECTIONS FOR A CONTRACTOR’S INTERNAL UNCLASSIFIED INFORMATION SYSTEM, November 6, 2018
• FAR Subpart 52.2 - Text of Provisions and Clauses
• ​DFARS Subpart 204.73 - Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised December 28, 2017)
• DFARS Clause 252.204.7008
• ​DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised December 21, 2018)
• Implementation of DFARS Clause 254.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, September 21, 2017
• DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirement
• Basic Safeguarding Of Contractor Information Systems Requirement
• NIST SP 800-171
• National Institute of Standards and Technology Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018
• National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (as amended).
• https://www.nist.gov/cyberframework
• CUI Registry
• CFR Title 32 Volume 6 Part 2002 Controlled Unclassified Information (CUI)
• Federal Information Security Modernization Act of 2014 (P.L. 113-283), December 2014
• Department of Defense Instruction 5230.24, "Distribution Statements on Technical Documents," August 23, 2012
• Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013
• Executive Order 13556, Controlled Unclassified Information, November 2010
• Executive Order 13526, Classified National Security Information, December 2009
• NIST SP 800-30
• NIST SP 800-40
• NIST SP 800-41
• NIST SP 800-160
• NIST SP 800-137
• NIST SP 800-125